nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Sad reality: It's cheaper to get hacked than build strong IT defenses

Anonymous Coward

Sadly very true

Get hacked and virtually no impact to reputation or share price.

Compare it to the cost of doing secure IT and yet again the fucking bean-counters chose the low cost option and fuck those impacted by the breach.

10
0
Silver badge

Re: Sadly very true

"Get hacked and virtually no impact to reputation or share price."

The Yahoo hack might raise the share price. 500m addresses! Who knew?

15
0

Re: Sadly very true

"Yet again the fucking bean-counters chose the low cost option"

Company officers actually have a legal duty to operate the company in a financially responsible manner.

4
4
Silver badge
Facepalm

Re: Sadly very true

Company officers actually have a legal duty to operate the company in a financially responsible manner.

Oh really? And this is written where exactly?

The only one to complain will be the shareholder in any case...

Besides, the "financially responsible manner" is open to interpretation and risk management.

9
0
Silver badge

Re: Sadly very true

Company officers actually have a legal duty to operate the company in a financially responsible manner.

I bet they don't have a legal duty to behave ethically.

7
0

Re: Sadly very true

Perhaps others may have missed the sarcasm in your post thereby resulting in you getting more down votes than up votes.

I am sure that what you meant to say rather than imply is something along the lines of...

<sarc>Company officers actually have a legal duty to operate the company in a financially responsible manner.</sarc>

However the regulatory authorities involved, in this case financial, are either clueless shitwanks, limp thickdicks, in someone else's pocket, taking bribes or expect to parachute out of their 'public service' job into an executive role for the offending company on more money than they get at the moment along with a Golden Goodbye and Pension Pot from their previous 'public service role' so fuck all happens.

The previous applies to any and all regulatory authorities, unless they are fucking over a 'public service entity' whereby any fine and/or costs are paid for by your taxes, and, as a result, nothing short of exploding dildo LiION batteries will wake them from their slumber, probably not, having crawled off the wife in order to drool on the dog whilst snoring after another exceptional one minute performance with 10 inches of rock hard meat, 'Mr Limp' failed to protrude beyond the belly, leaving the wife to finish the job off and then the bean counters will still do a cost-benefit analysis.

Err... You might prefer to use different words.

HTH

10
0

Re: Sadly very true

"However the regulatory authorities involved, in this case financial, are either clueless shitwanks, limp thickdicks, in someone else's pocket, taking bribes or expect to parachute out of their 'public service' job into an executive role for the offending company on more money than they get at the moment along with a Golden Goodbye and Pension Pot from their previous 'public service role' so fuck all happens.

The previous applies to any and all regulatory authorities, unless they are fucking over a 'public service entity' whereby any fine and/or costs are paid for by your taxes, and, as a result, nothing short of exploding dildo LiION batteries will wake them from their slumber, probably not, having crawled off the wife in order to drool on the dog whilst snoring after another exceptional one minute performance with 10 inches of rock hard meat, 'Mr Limp' failed to protrude beyond the belly, leaving the wife to finish the job off and then the bean counters will still do a cost-benefit analysis.

Err... You might prefer to use different words."

Wow. Just wow. And I had to quote it just to flavour the full awesomeness again. Best rant I've read in years. If I could up-vote multiple times, I would.

3
0
Gold badge
Unhappy

"yet again the fucking bean-counters chose the low cost option"

It was a cost benefit analysis.

The cold equations said it'd cost them a shed load of money to do the changes and save about180 lives and 180 burns cases so the Board said f**k em.

IIRC one of those burns case was an 11YO boy. :(

Please note insurers regularly put a value on human life and some industries or products specify the model. IIRC a weighted average life time salary is often used, about $1-2m.

0
1
Silver badge

Re: Sadly very true

"Company officers actually have a legal duty to operate the company in a financially responsible manner."

Indeed they do.

But this is like a bank deciding: "The clients money is insured anyway, so why build an expensive vault? Just store the cash in cardboard boxes in the back room."

Bank saves millions, but would you call it "financially responsible"?

0
0
Silver badge

Re: Sadly very true

Only unless and until the insurance company "recovers" the loss from the bank for failing to meet the terms of insurance.

Or the regulatory authority and/or court awards punitive fines and/or damages.

Clearly, insurance companies will be the main driver for good security for the foreseeable future.

2
0
Anonymous Coward

Re: "yet again the fucking bean-counters chose the low cost option"

Equating the value of human life is a very complex issue. I'm pleased to say that in my 20+ years of infosec I've only had to weigh the cost of the loss of data and reputation. Very often the cost of securing data is more than it's worth. The classic example is to question the value of storing a £200 lawn mower in a shed with a £5000 lock and vault door. Whilst you may feel that your personal data held by a bank or business is priceless, sadly you are in your own with your estimation of its value. It's not always the bean counter making the call: it's much more likely the infosec manager deciding how much to spend securing your data.

0
0
Anonymous Coward

Re: Sadly very true

The effect on your reputation varies based on your industry. A bank getting hacked and losing customer information is going to be quite expensive, not just in mitigating the effect on existing customer, but the loss of selfsame customers and a dearth of new ones for a significant period of time, not to mention the fines imposed by the regulators.

Pay the money, get the good stuff, and be the best in the business. That's where you want to be.

1
0

Pinto was one of the few times a reputation took a sustained hit

Decades later everyone still quotes it (that and the "Ratner Effect"). A few contributing factors:

(1) it was a stark pricing of life - in public spaces we're too squeamish to do this (see the "can't put a price on human life" items posted on every public heath decision)

(2) it used that pricing to directly drive company behaviour, rather than pretending to be "nice" (we all know that companies run on cash not cuddles, but we'd prefer to believe it otherwise and they spend a lot of advertising bucks on the pretence)

(3) it was a company still thought of as a cornerstone of the American Dream (early 70s, US car firms still coasting on fumes of previous glories)

(4) it was novel (the public revelation, if not the behaviour)

(5) for whatever reasons brand identities matter in that sector: automobile manufacturers like to tout their legacies. In IT who does, other than IBM (and that's pretty hollow nowadays)? Some firms "re-invent" themselves, like HP/Compaq/whatever-the-fuck-is-left-of-them-now, some supposedly valuable identities get transplanted like McAfee (private/Intel/make-us-an-offer)

Since this doesn't apply when a dot-com loses our personal data (most of us lack a similarly visceral reaction of its value and with so many similar cases in recent years there's no sustained shock) we can't hope that the risk to the reputation will be a useful deterrent. So if we don't want the damage externalised (i.e. shat all over the customers, as it is today) are we looking at somehow devising standards and imposing serious penalties? (so much devilry in the details of how standards should be developed and compliance tested, etc)

15
1
Bronze badge

Re: Pinto was one of the few times a reputation took a sustained hit

The "Ratner effect" is an interesting study in reputational losses to a company. People think of it as a comment that destroyed a company. But it didn't - Ratners is still the largest jewellery chain in both the UK and North America. Of course, the name is different now. Ratner's comment didn't sink the company, just forced it to ditch one brand and continue business as usual through its others.

6
0

Re: Pinto was one of the few times a reputation took a sustained hit

Tom Clancy made a buck or two out of it...

http://tomclancy.wikia.com/wiki/Debt_of_Honor

1
0
Silver badge
Stop

Re: Mongo Re: Pinto was one of the few times a reputation took a sustained hit

".....(1) it was a stark pricing of life.....' No, it wasn't. The original Ford paper was nothing to do with "corporate culture" or "greed", it was simply a cost-benefit paper produced by Ford in 1973 for the NHTSA when the NHTSA was suggesting new rear-crash testing regulations. The original paper was a comparison of the costs to Ford of changing the Pinto fuel system and the cost to society of crash injuries and victims relating to burns from the existing design, not the cost of Ford being sued. This was subsequently taken waaaaaaaaaaay out of context by "progressive" Mother Jones journo Mark Dowie in a 1977 article, in which he even lied about the figures (he changed the analysis from 180 deaths to 500-900) to suit his Big Bad American Corporation theme. Ford was completely in line with the 1967 regulations when it originally designed the Pinto and the Pinto was later shown to be no more at risk from rear collisions than any of its competitors.

0
0

It's yet another example of biased risk-awareness.

You can take a service - let's say...a calendar. You've got a choice of going with provider A, who will give you a product that's free but with a few adverts and some behind-the-scenes data-slurping and the possibility that any details you give them may end up being sold in bulk by whichever unscrupulous group has compromised the security of that organisation.

Or you go with company B, who don't give you adverts, don't mine your data and invest heavily in their cyber-security platforms - but it'll cost you £10 a month for a product of a comparable standard.

Probably 95% of people would go for the former, and accept the risk that there's a very slight chance that some of their credentials will be compromised. If company A doesn't need your address and bank details, then the compromise is an inconvenience to the average user. If company B is compromised - and let's remember that no connected system can ever be 100% secure - then potentially you'll be exposed to a significantly larger loss - not just getting spammed for viagra and russian brides, but you may lose real beans-and-beers money from your bank account or credit card.

So yeah. I don't like the message but I kind of understand it. It feels like people increasingly see "being hacked" in the same vein as getting a speeding ticket - you do what you can to avoid it, and if it happens you'll be annoyed, but it's not the end of the world.

Interesting.

9
0
Silver badge

"If company A doesn't need your address and bank details, then the compromise is an inconvenience to the average user."

Really? A calendar as per your example? What's on the calendar?

Uncle Fred's 60th birthday next week? Ooh look, with got Uncle Fred's DoB. Is Uncle Fred identified in any further way? Does it have his email address? A little bit of information for ID theft and material for a more convincing phishing attempt - click on this e-birthday card.

Leave on holiday in 2 weeks time, return 10 days later? House unoccupied - nice.

Lots and lots of scope from a busy calendar.

7
4
Silver badge

Really? A calendar as per your example? What's on the calendar?

Still an inconvenience. Your interpretations may differ from somebody else's interpretation.

1
1
Silver badge

"Lots and lots of scope from a busy calendar."

You can replace 'calendar' with whatever you like - the OP was clearly just trying to come up with a simple example.

Company A provides a Facepalmascope. It's free [but slurping]. Company B provides one for a small fee, with no slurping - but payment details. Etc.

Sometimes there's a time for pedantry, and sometimes there's a time to look beyond it to see the abstraction.

13
0
Silver badge

"You can replace 'calendar' with whatever you like - the OP was clearly just trying to come up with a simple example."

Of course. I was just taking his example in the same way. Whatever you use a service to store there's likely to be lots of criminal value in it beyond the login and financial stuff. What other examples do you want? Email server? Password store?

0
0
Silver badge

I was of the understanding that cyber insurance wouldn't pay out if you were found to have taken less than adequate measures to protect your data assets.

A bit like home insurance, having it doesn't excuse you from having to lock your doors when you're out.

3
0
Silver badge

What about externalised costs?

Curious to know to what degree affected companies have been able to externalise the costs of data breaches. What price can we put on the hassle / worry / embarrassment / waste of time / personal financial loss accruing to the people whose data is lost?

Companies won't invest in good security until they are liable for the true and full costs of their greed, laziness and incompetence. We need to push our politicians to formulate laws and enable compensation schemes that make it too expensive to be cavalier about security.

6
0
Silver badge

Re: What about externalised costs?

" We need to push our politicians to formulate laws and enable compensation schemes that make it too expensive to be cavalier about security."

The EU have done just this, effective May 2018. Thanks to the numpties it might well not apply here.

7
0
Silver badge

Re: What about externalised costs?

Well, once Article 50 is signed, it's supposed to be a two year process - and if Supreme Commander May signs it in early 2017 (as has been suggested), that means we'll still be in the EU until early 2019 - so it'll be interesting to see what happens with such things.

I'd rather it not be interesting, though, and just know.

4
0
Silver badge

Re: What about externalised costs?

"that means we'll still be in the EU until early 2019"

Yup, but how long would it take for a case to get through to court?

0
0
Silver badge

Re: What about externalised costs?

They might fast-track it.

Always good to get an early bit of case law, even better if there's no time for any appeal.

0
0
Vic
Silver badge

Re: What about externalised costs?

Well, once Article 50 is signed, it's supposed to be a two year process

ITYF it's not more than two years; it can be shorter.

Now given that we're negotiating form a position of weakness - and the treaty seems to be set up to do that deliberately - I can't imagine it taking less than the full two years. But Boris was banging on about doing it more quickly the other day...

Vic.

0
0

Ultimately the decision is to be taken en-masse by the buying public, and time and time again the public proves it couldn't give a rats if a) They've not yet suffered personally and b) Insecure company A is cheaper. For example, look up phone/broadband in the UK, you'll almost certainly find TalkTalk is cheapest and they're getting new customers even as we speak yet everyone remembers their data breach, which proves TalkTalk were right to do a piss poor job as long as people can save about £20-£30 a year.

4
0
Silver badge

"For example, look up phone/broadband in the UK, you'll almost certainly find TalkTalk is cheapest and they're getting new customers even as we speak yet everyone remembers their data breach,"

Yup. I know a few - including two clients - who have signed up with them since that. When asked - with the breach specifically mentioned - they've all said the same thing: They were the cheapest.

People are stupid.

8
0
Silver badge

Actually TalkTalk took a battering and have only recently started to stop the decline.

2
0
Silver badge

Of the few I know, though, all but one of them had signed up with TalkTalk within a month of the breach being in the mainstream news. If they'd signed up now, I'd still be inclined to point out their history, and my flabber would still be gasted by the choice, but considerably less so.

2
0
Silver badge
Flame

Even when they do 'invest' in security they get it wrong

Take Yahoo (you can keep it). They want your phone number to do 2FA. They get hacked and the phone numbers they've got get stolen so if you gave them your phone number you're less secure, not more.

Why have they not used FreeOTP (or made a brain-dead tap-and-drool Yahoo-branded version based on the open source original) to do 2FA? If they had done this then I would have used 2FA, but they don't, they insist on a phone number which I'm never going to give them precisely because of hacks like this... or because they've probably sold them on to their "trusted partners" anyway.

Trust goes both ways, very few companies manage to show they're worthy of it.

10
0
Silver badge

Re: Even when they do 'invest' in security they get it wrong

"Take Yahoo (you can keep it). They want your phone number to do 2FA. "

Exactly. Everyone wants your cell phone number for "security".

The way I see it: If I give it to them, I'm giving it to the world.

No Thank You.

6
0
Mushroom

Solution?

The solution it is to not make it cheaper: fine the companies that are hacked.

7
0
Silver badge

Re: Solution?

Or another step: require insurance for handling of users and customers data and let the insurance premiums factor in the possibility of breach in your particular setup. You cannot have "100% secure" and you have to pay one way or another - either in your security setup or in insurance premiums.

However, step one to this would be for companies to actually need insurance money, in significant quantity enough to bother with insurance in the first place. That's when fines (or perhaps civil action lawsuits) come in.

8
0
Silver badge

Re: Solution?

" fine the companies that are hacked."

You want immediate action? Howls of agony and outrage? Actual results?

As well as fining the company, freeze 10% of each of the shareholder's stock for two years, or until the problem is fixed.

Most companies would be secure before the next quarter.

(And a lot of politicians would find lose campaign funds next election, so win/win!)

5
0
Anonymous Coward

Re: Solution?

" fine the companies that are hacked."

And don't do the bloody typical British thing by capping the fines at a level that could destroy small firms, but scarcely put a dent in the annual soirée budget for the large ones. That really does grate.

0
0
Silver badge

Re: Solution?

And don't do the bloody typical British thing by capping the fines at a level that could destroy small firms, but scarcely put a dent in the annual soirée budget for the large ones.

That's typically American as well.

0
0

Eh?

That average seems pretty low. They always seem to cost a whole lot more when it actually comes to sentencing the disillusioned kid still hiding underneath the bed.

Not sure attributing the cost of plugging a hole that shouldn't have been there in the first place, is entirely fair.

3
0
Facepalm

I'll Take that Risk

Per comments by other posters, the cost doesn't really hit home... until it gets personal. Taking this kind of risk is a gamble to be sure, and one component the article doesn't look at is the future risks of IoT. We're on a digitization fastrack to ramping up connectivity of everything from cars and homes, to things we haven't even conceived of yet. The study cited looked at 2004-2015; even if we agreed with those round average numbers, that's not the future we're looking at.

0
0

The author of the report clearly knows nothing about cyber insurance.

How can a cyber insurance company know anything about the actual state of a company's cyber insurance when its primary data intake is a 9 page, user filled out form?

What cyber insurance company's do is 2 buckets:

1) Value at risk: how much would they possibly have to pay. This part, they can judge reasonably well.

2) Is the insuree trying at all? Trying but incapable? Not trying?

That's where the industry is at right now, and will continue to be until some way of understanding "good" security vs. "bad" security can be automatically and easily computed.

0
0
Silver badge

"That's where the industry is at right now, and will continue to be until some way of understanding "good" security vs. "bad" security can be automatically and easily computed."

But the human factor always gets involved which is why computers can't do it and why you need human actuaries; it takes one to know one, basically.

0
0
Anonymous Coward

Capitalism

This is the kind of insanity that inevitably happens as a consequence of the mindless pursuit of wealth/capital for the sake of acruing more wealth/capital. Eventually no one wins, we're not quite there yet, soon enough we will be.

PS Marx had a thing or two to say about this kind of degeneracy.

PPS AC because of all the neo-con cuntz that lurk here

4
2
Silver badge
Holmes

Re: Capitalism

I will just state that you don't know what a neo-con is.

Protip: It has nothing to do with capitalism. It has, however, a lot to do with Troskyism and Zionism.

0
0

Wrong.

Strong security is about hiring competent people, and has nothing to do with paying for "top shelf systems". The two most important softwares for a strong security presence are completely free.

5
0
Silver badge

Re: Wrong.

"Strong security is about hiring competent people"

...and doing what they say. If this means rewriting the colander that the servers present to the net be prepared to pay to do it.

2
0
Silver badge

Re: Wrong.

And if there's no money and the executives aren't interested? And it's like this throughout the industry? AND they pay off the regulators?

0
0

Take it from this poor health American. Insurance is not the answer.

4
0
Devil

Blame the hacker

The real problem, if you ask me, is that is the operators of these sites are never accountable for their own shitty security. Everybody blames the hacker. The real black-hats are rarely caught, but sometimes a white-hat will politely point out a vulnerability and expect to be rewarded - instead he is ignored (perhaps to save face) and the vulnerability often remains unpatched. So a grey-hat comes along and rudely makes the vulnerability obvious to all. In most cases he is attacked by the organisation (never mind rewarded) and frequently prosecuted by the state (who want to make an example of him in the hopes that this will scare the black-hats).

IMO the real reason that companies never bother to secure their networks, is because they can always label it as a "cyberattack", as if NOBODY could have stopped this ACT OF TERROR on their systems.

When a system of this scale gets compromised, it should be the sysadmin, not just the "hacker" who gets held accountable by the state. It would be nice if there was a neutral authority that white-hats could report vulnerabilities to, which will confirm them and then force (by law) the companies involved to close them.

Then again, the cynic in me says these sites are deliberately left open so that the state spies can get in, whilst having yet another excuse to pursue and destroy anyone else who wields the same power.

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing